Iptables rule configuration Add, delete, and modify commands

Introduced

Iptables is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. If a Linux system is connected to an Internet or LAN, a server, or a proxy server that connects LAN and the Internet, the system facilitates better control over IP packet filtering and firewall configuration on Linux systems.

Management control options for the iptables command

-A (append) adds a new rule at the end of the specified chain

-I inserts a new rule in the specified chain to indicate the insertion position

-D (delete) deletes a rule in the development chain

-R (replace) modifies, replaces a rule in a specified chain, and determines the rule to be replaced by ordinal or content

-L (list) lists all rules in the specified chain for viewing

-F (Flush) clears all rules in the specified chain

-N Creates a new user-defined chain of rules

-X (delete-chain) deletes the rule chain defined by the user in the specified table

-P Sets the default policy for the specified chain

-V View version (--version) information for the iptables command tool

-V displays detailed (--verbose) information when you view the list of rules

-H View command Help information (--HELP)

-N Displays output results in digital form (--number), such as displaying the IP address of the host instead of the host name

--line-number to view the list of rules while displaying the order number of the rules in the chain

Matching Criteria options for the iptables command

IP Address:

SOURCE Address:-S (source).

Target Address:-D (Destination).

Ports (port):

SOURCE port:--sport.

Target port:--dport.

Protocol:-P.

Ports and protocols for services:

Here only the more commonly used parameters are listed, please see the man iptables

1, view

Iptables-nvl–line-number

-L View all the rules for the current table, the filter table is viewed by default, and the-T NAT parameter can be added if you want to view the NAT table
-N does not reverse-check the IP address, plus this parameter will show a lot faster
-V Output details containing the number of packets through the rule, total bytes, and corresponding network interfaces
–line-number Displays the sequence number of the rule, which is used when deleting or modifying a rule

(1) To view the establishment of the Iptables


[ROOT@TP ~]# iptables-l-N


Chain INPUT (Policy ACCEPT)


Target Prot opt source destination


Chain FORWARD (Policy ACCEPT)


Target Prot opt source destination


Chain OUTPUT (Policy ACCEPT)


Target Prot opt source destination


Chain rh-firewall-1-input (0 references)


Target Prot opt source destination


ACCEPT All--0.0.0.0/0 0.0.0.0/0


ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255


ACCEPT ESP--0.0.0.0/0 0.0.0.0/0


ACCEPT AH--0.0.0.0/0 0.0.0.0/0


ACCEPT UDP--0.0.0.0/0 224.0.0.251 UDP dpt:5353


ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:631


ACCEPT All--0.0.0.0/0 0.0.0.0/0 State related,established


ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22


ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:80


ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:25


REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


As you can see, when I installed Linux, I chose a firewall and opened the 22,80,25 port.


If you did not choose to start the firewall when installing Linux, this is the case


[ROOT@TP ~]# iptables-l-N


Chain INPUT (Policy ACCEPT)


Target Prot opt source destination


Chain FORWARD (Policy ACCEPT)


Target Prot opt source destination


Chain OUTPUT (Policy ACCEPT)


Target Prot opt source destination


There are no rules.

2, add

There are two parameters to add a rule:-A and-I. Where-A is added to the end of the rule,-I can insert to the specified position without specifying a location by default inserted into the header of the rule.

Current rule:

[Root@test ~]# iptables-nl--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 DROP All--192.168.1.1 0.0.0.0/0
2 DROP All--192.168.1.2 0.0.0.0/0
3 DROP All--192.168.1.4 0.0.0.0/0

Add a rule to the tail:

[Root@test ~]# iptables-a input-s 192.168.1.5-j Drop inserts a rule to the third row, which writes the number of rows directly to the back of the rule chain:

[Root@test ~]# iptables-i INPUT 3-s 192.168.1.3-j drop View:

[Root@test ~]# iptables-nl--line-number


Chain INPUT (Policy ACCEPT)


Num Target prot opt source destination


1 DROP All--192.168.1.1 0.0.0.0/0


2 DROP All--192.168.1.2 0.0.0.0/0


3 DROP All--192.168.1.3 0.0.0.0/0


4 DROP All--192.168.1.4 0.0.0.0/0


5 DROP All--192.168.1.5 0.0.0.0/0


You can see 192.168.1.3 inserted into the third row, while the original third line 192.168.1.4 into line fourth.

First add the input chain, the input chain is the default rule is drop, so we write the need for ACCETP (through) the chain


In order to be able to use remote SSH login, we have to open port 22.


[ROOT@TP ~]# iptables-a input-p tcp--dport 22-j ACCEPT


[ROOT@TP ~]# iptables-a output-p tcp--sport 22-j ACCEPT (Note: This rule, if you set OUTPUT to drop is to write this one, many people are looking at the writing of this rule, always can not ssh. In remote A moment, is not good.


Other ports are the same, if the Web server is turned on, output is set to drop, but also to add a chain:


[ROOT@TP ~]# iptables-a output-p tcp--sport 80-j ACCEPT, others are the same.)


If you do a Web server, turn on port 80.


[ROOT@TP ~]# iptables-a input-p tcp--dport 80-j ACCEPT


If you do a mail server, turn on port 25,110.


[ROOT@TP ~]# iptables-a input-p tcp--dport 110-j ACCEPT


[ROOT@TP ~]# iptables-a input-p tcp--dport 25-j ACCEPT


If you do an FTP server, turn on port 21.


[ROOT@TP ~]# iptables-a input-p tcp--dport 21-j ACCEPT


[ROOT@TP ~]# iptables-a input-p tcp--dport 20-j ACCEPT


If you do a DNS server, turn on port 53.


[ROOT@TP ~]# iptables-a input-p tcp--dport 53-j ACCEPT


If you do other servers, you need to open which port, just write it.


The main written above are input chain, usually not in the above rules, are drop


Allow ICMP packets to pass, which is to allow Ping,


[ROOT@TP ~]# iptables-a output-p icmp-j ACCEPT (OUTPUT set to drop)


[ROOT@TP ~]# iptables-a input-p icmp-j ACCEPT (INPUT set to drop)

Allow loopback! (Otherwise it will cause DNS to not shut down properly.)
Iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a output-o lo-p all-j ACCEPT (if it is OUTPUT DROP)

Below write output chain, output chain default rule is accept, so we write need drop (discard) chain.


Reduce unsafe port connections


[ROOT@TP ~]# iptables-a output-p tcp--sport 31337-j DROP


[ROOT@TP ~]# iptables-a output-p tcp--dport 31337-j DROP


Some Trojan horses scan the services on ports 31337 through 31340 (that is, the elite port in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chance of independent communication between potentially infected machines on your network and their remote home servers


There are also other ports, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), 2049 (NFS) port should also be banned, I write in this is not full, interested friends should go to check the relevant information.


Of course, it's safer to consider. You can also set the output chain to drop, then you add more rules, like the top add


Allow SSH to log on. Just write it.


The following is a more detailed rule that restricts to a machine


Such as: We only allow 192.168.0.3 machine for SSH connection


[ROOT@TP ~]# iptables-a input-s 192.168.0.3-p tcp--dport 22-j ACCEPT


If you want to allow, or limit a section of IP address available 192.168.0.0/24 to represent all IP at 192.168.0.1-255 end.


24 represents the number of subnet masks. But remember to delete this line in the/etc/sysconfig/iptables.


-A input-p tcp-m TCP--dport 22-j ACCEPT because it means that all addresses can be logged in.


or by command:


[ROOT@TP ~]# iptables-d input-p tcp--dport 22-j ACCEPT


And then save, I say the other side, the reverse is the way to use the order, only at that time, if you want to play a role, it must be saved. Write to the/etc/sysconfig/iptables file.


[ROOT@TP ~]#/etc/rc.d/init.d/iptables Save


This write!192.168.0.3 represents the IP address of the 192.168.0.3 except


Other rule connections are set as well.


In the following is the forward chain, the forward chain is the default rule is drop, so we write the need to ACCETP (through) The chain, the forwarding chain monitoring.


Turn on forwarding, (when NAT is done, forward default rule is drop, must do)


[ROOT@TP ~]# iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT


[ROOT@TP ~]# iptables-a forward-i eth1-o eh0-j


Discard Bad TCP packets


[ROOT@TP ~] #iptables-A forward-p TCP! --syn-m State--state New-j DROP


Handle the number of IP fragments, prevent attacks, allow 100 per second


[ROOT@TP ~] #iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT


Set ICMP packet filtering to allow 1 packets per second, limiting the trigger condition to 10 packages.


[ROOT@TP ~] #iptables-A forward-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPT


I'm in front only so allow ICMP packets to pass because I have restrictions here.

3, delete

Delete with the-d parameter

Delete the previously added rule (iptables-a input-s 192.168.1.5-j DROP):

[root@test ~]# iptables-d input-s 192.168.1.5-j drop sometimes too long to delete, write a large number of delete, both waste time and easy to write mistakes, then we can first use- Line-number finds the line number of the rule, and then deletes the rule by line number.

[Root@test ~]# Iptables-nv--line-number
Iptables v1.4.7:no Command specified
Try ' iptables-h ' or ' iptables--help ' for the more information.
[Root@test ~]# iptables-nl--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 DROP All--192.168.1.1 0.0.0.0/0
2 DROP All--192.168.1.2 0.0.0.0/0
3 DROP All--192.168.1.3 0.0.0.0/0

Delete second row rule

[Root@test ~]# iptables-d INPUT 24,

Regardless of whether you started the firewall when installing Linux, if you want to configure your own firewall, then clear all the rules of the filter now.


[ROOT@TP ~]# iptables-f clears rules for all rule chains in preset table filter


[ROOT@TP ~]# Iptables-x clears rules in user-defined chains in preset table filter


We're just having a look.


[ROOT@TP ~]# iptables-l-N


Chain INPUT (Policy ACCEPT)


Target Prot opt source destination


Chain FORWARD (Policy ACCEPT)


Target Prot opt source destination


Chain OUTPUT (Policy ACCEPT)


Target Prot opt source destination


Nothing is the same as when we installed Linux without starting the firewall. (in advance, these configurations are like using a command to configure IP, which will lose its effect when it is reset), and how to save it.


[ROOT@TP ~]#/etc/rc.d/init.d/iptables Save


So you can write to the/etc/sysconfig/iptables file. Remember to back up the firewall before it works.


[ROOT@TP ~]# Service iptables restart


Now there is no configuration in the iptables configuration, so let's start our configuration.


(3) Set preset rules


[ROOT@TP ~]# iptables-p INPUT DROP


[ROOT@TP ~]# iptables-p OUTPUT ACCEPT


[ROOT@TP ~]# iptables-p FORWARD DROP


What it means is that when you go beyond the two-chain rules (Input,forward) in the Iptables filter table, the data packets that are not in the two rules are treated as drop (discard). It should be said that this configuration is very safe. We want to control the flow of packets


And for output chain, that is, we do not have to do too many restrictions, but to take accept, that is, not in the rules of the package how to do it, that is through.


It can be seen that the Input,forward two chain uses what packets are allowed to pass, and the output chain is not allowed to pass any packets.


This setting is quite reasonable, of course you can drop all three, but I don't think it's necessary, and the rules to write will increase. But if you only want a limited number of rules, such as Web server only. Or recommend three chains are drop.


Note: If you are a remote SSH login, you should drop it when you enter the first command return. Because you didn't set any rules.


How to do, go to the local operation Bai!

Modify

Modify the Use-R parameter

First look at the current rule:

[Root@test ~]# iptables-nl--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 DROP All--192.168.1.1 0.0.0.0/0
2 DROP All--192.168.1.2 0.0.0.0/0
3 DROP All--192.168.1.5 0.0.0.0/0
Change the third rule to accept:

[Root@test ~]# iptables-r INPUT 3-j Accept re-view the following:

[Root@test ~]# iptables-nl--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 DROP All--192.168.1.1 0.0.0.0/0
2 DROP All--192.168.1.2 0.0.0.0/0
3 ACCEPT All--0.0.0.0/0 0.0.0.0/0

Target of rule three has been changed to accept.

IPTABLES-E Old-chain-name New-chain-name
-e old chain name new chain name
Replace the old chain name with the new chain name
Description
Iptalbes is used to set up, maintain, and check the IP packet filtering rules of the Linux kernel.
You can define different tables, each of which contains several internal chains, and can contain user-defined chains. Each chain is a list of rules that match the corresponding package: Each rule specifies how the package that matches it should be handled. This is called ' target ', or it can jump to a user-defined chain within the same table.

TARGETS
The rules of the firewall specify the characteristics of the package being checked, and the target. If the package does not match, will be sent to the next rule in the chain, and if so, the following rule is determined by the target value. The target value can be a user-defined chain name, or a private value such as accept[through, drop[Delete, queue[queued up, or return[return.
ACCEPT said let the package pass. Drop indicates that the package is discarded. The queue represents the delivery of this package to user space. Return means to stop the match of this chain and start again with the rules of the previous chain. If a built-in chain (the end) is reached, or if the rule of the built-in chain is return, the fate of the package is determined by the goal specified by the chain guideline.

TABLES
There are currently three tables (which table is the current table depending on the kernel configuration option and the current module).
-T table
This option specifies the table of matching packages to be manipulated by the command. If the kernel is configured to load the module automatically, the (System) will attempt to load the appropriate module (for the table) if the module is not loaded. These tables are as follows: Filter, which is the default table, contains the built-in chain input (processing incoming packages), ForWord (processing through packages), and output (processing locally generated packages). NAT, this table is queried to indicate that the package that generated the new connection was encountered, consisting of three built-in chains: prerouting (Modified package), OUTPUT (the local package before modifying the route), postrouting (modifying the package to be ready to go). Mangle This table is used to modify the specified package. It has two built-in rules: Prerouting (the packets entered before modifying the route) and output (the local package before modifying the route).
OPTIONS
These options, which can be identified by iptables, can distinguish between different kinds.

COMMANDS
These options specify an explicit action: The line can specify only one option if there are no other rules under the command line. For long-format commands and option names, the length of the letter is only guaranteed to enable iptables to distinguish the instruction from other options.
-a-append
Add one or more rules at the end of the selected chain. This rule is appended to all possible addresses (combinations) when the source (address) or/and destination (address) is converted to multiple addresses.

-d-delete
Deletes one or more rules from the selected chain. There are two ways to do this: you can designate a deleted rule as an ordinal in the chain (the first ordinal is 1), or a rule that you want to match.

-r-replace
Replaces a rule from a selected chain. If the source (address) or/and destination (address) is converted to multiple addresses, the command fails. The rule sequence number starts at 1.

-i-insert
Inserts one or more rules into the selected chain according to the given rule ordinal. Therefore, if the rule number is 1, the rule is inserted into the head of the chain. This is also the default method when you do not specify a rule ordinal.

-l-list
Displays all the rules for the selected chain. If no chain is selected, all chains will be displayed. can also be used with the z option, when the chain is automatically listed and zeroed. The exact output is affected by other given parameters.

-f-flush
Clears the selected chain. This is tantamount to deleting all the rules.

--z-zero
Empty all chain packets and byte counters. It can be used in conjunction with-l to see the counter in the unprecedented view, please refer to the previous article.

-n-new-chain
Create a new user-defined chain based on the name given. This must ensure that no chain exists with the same name.

-x-delete-chain
Deletes the specified user custom chain. This chain must not be referenced, and if referenced, you must delete or replace the rules associated with it before deleting it. If no arguments are given, this command will try to delete each non-built chain.

-p-policy
Sets the target rule for the chain.

-e-rename-chain
Renaming the specified chain according to the name given by the user is only cosmetic and has no effect on the structure of the entire table. The targets parameter gives a legitimate goal. Only non-user-defined chains can use rules, and both built-in and user-defined chains cannot be the target of a rule.

-H help.
Help. Gives a very brief description of the current command syntax.

PARAMETERS
Parameters
The following parameter composition rules are detailed, such as for Add, delete, replace, append, and check commands.

-p-protocal [!] Protocol
A protocol for a rule or a package check (to be checked). Specifies that the protocol can be TCP, UDP, one or all of the ICMP, or numeric values that represent one of these protocols. Of course, you can also use the protocol name defined in/etc/protocols. Before the agreement name, add "!" Represents the opposite rule. The number 0 equals all. Protocol all matches all protocols, and this is the default option. All can not be used when combined with the check command.
-s-source [!] Address[/mask]
Specify the source address, which can be a host name, a network name, and a clear IP address. The mask description can be a netmask or a clear number, specifying the number of "1" to the left of the netmask on the left of the netmask, so the mask value of 24 equals 255.255.255.0. Add "!" before the specified address. The description specifies the opposite address segment. Flag--SRC is the shorthand for this option.

-D--destination [!] Address[/mask]
Specify the destination address, for more information, see the description of the-s flag. Flag--DST is the shorthand for this option.

-j--jump Target
-j Target Jump
Specifies the target of the rule, that is, what should be done if the package matches. The target can be a user-defined chain (not the same rule), a dedicated built-in goal that immediately determines the fate of the package, or an extension (see extensions below). If this option for the rule is ignored, the matching process does not affect the package, but the counter of the rule increases.

-i-in-interface [!] [Name]
I-access (network) interface [!] Name
This is the optional entry name that the packet receives through the interface, through which packets are received (packets entered in the chain input, ForWord, and prerouting). When the "!" is used before the interface name. After the description, refer to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched.

-O--out-interface [!] [Name]
-O--output interface [name]
This is the optional export name that is sent through the interface, and the packet is exported through the port (packets sent in the chain forward, output, and postrouting). When the "!" is used before the interface name. After the description, refer to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it is assumed to be "+", then all any interfaces will be matched.

[!] -F,--fragment
[!] -F--fragmentation
This means that in a fragmented package, the rules only ask for the second and subsequent slices. Since then, because of the inability to determine the source or destination port (or ICMP type) of the package, such packages will not match any rules that specify matching them. If "!" The instructions are used before the "-F" sign to indicate the opposite.

Other OPTIONS
Other options
You can also specify the following additional options:

-V--verbose
-V--detailed
Verbose output. This option allows the list command to display interface addresses, rule options (if any), and TOS (Type of Service) masks. The package and byte counters will also be displayed with K, M, G (prefix) representing 1000, 1,000,000, and 1,000,000,000 times (although see the-X flag to change it), for Add, insert, delete, and replace commands, which will cause the relevant details of one or more rules to be printed.

-N--numeric
-N-Digital
Digital output. The IP address and port are printed as numbers. By default, the program tries to display the host name, network name, or service (as long as it is available).

-x-exact
-X-Accurate
Expands the number. Displays the exact value of the packet and byte counter, instead of the divisors represented by K,m,g. This option can only be used with the-l command.

--line-numbers
When a list displays a rule, precede each rule with a line number that corresponds to the position of the rule in the chain.

MATCH EXTENSIONS
The corresponding extension
Iptables can use some expansion packs that match the module. The following are the expansion packs that are included in the base package, and most of them can show the opposite meaning by adding them in front!

Tcp
These extensions are loaded when--protocol TCP is specified and other matching extensions are not specified. It provides the following options:

--source-port [!] [port[:p ORT]]
The source port or port range is specified. This can be a service name or port number. Use a format port: A port can also specify a range of included (ports). If the first port number is ignored, the default is "0" and if the end number is ignored, the default is "65535" and if the second port number is greater than the first, then they are exchanged. This option can use the alias of--sport.

--destionation-port [!] [Port:[port]]
Destination port or port range specified. This option can be replaced with a--dport alias.

--tcp-flags [!] Mask Comp
Matches the specified TCP token. The first parameter is the tag we want to check, a comma-separated list, and the second parameter is a comma-separated tag table that must be set. tags are as follows: SYN ACK FIN RST URG PSH all NONE. So this command: iptables-a forward-p tcp--tcp-flags syn, ACK, FIN, rst syn only matches those that are set by the SYN tag and the ACK, FIN, and RST tags are not set.

[!] --syn
Matches only those TCP packets that have the SYN bit set and the ACK and fin bits cleared. These packages are used to make requests for TCP connection initialization, for example, when a large number of such packets block into an interface that blocks incoming TCP connections and the Out TCP connection is not affected. This equals--tcp-flags syn, RST, ACK syn. If "--syn" is preceded by "!" Mark, to indicate the opposite meaning.

--tcp-option [!] Number
Matches the TCP option that is set.

Udp
When protocol UDP is specified and other matching extensions are not specified, these extensions are loaded and provide the following options:

--source-port [!] [Port:[port]]
The source port or port range is specified. See the--source-port option description for the TCP extension.

--destination-port [!] [Port:[port]]
Destination port or port range specified. See the--destination-port option description for the TCP extension.

Icmp
When protocol ICMP is specified and other matching extensions are not specified, the extension is loaded. It provides the following options:
--icmp-type [!] TypeName
This option allows you to specify the ICMP type, either a numeric ICMP type, or an ICMP type name that is displayed by the command iptables-p icmp-h.

Mac
--mac-source [!] Address
Matches the physical address. Must be a format such as XX:XX:XX:XX:XX. Note that it is valid only for packets from the etheric device and into the prerouting, ForWord, and input chains.

Limit
This module matching logo is matched with a certain speed of a tag bucket filter, which is used in conjunction with the log target to give a limited number of landings. When this limit is reached, the rules that use the expansion pack will match. (Unless you use the "!" Mark

--limit Rate
Maximum average matching rate: Assignable values include '/second ', '/minute ', '/hour ', or '/day ' units, and the default is 3/hour.

--limit-burst number
Maximum number of initial number of packets to be matched: if the specified limit has not reached this value, the figure is 1. The default is 5

Multiport
This module matches a set of source or destination ports, and can specify up to 15 ports. Can only be used with-p TCP or-P UDP.

--source-port [port[, Port]]
Match if the source port is one of the given ports

--destination-port [port[, Port]]
Match if the destination port is one of the given ports

--port [port[, Port]]
Matches if the source and destination ports are equal and equal to a given port.
Mark
This module matches the NetFilter filter tag field (which can be set below to use the mark Mark).

--mark value [/mask]
Packages that match unsigned tagged values (if you specify mask, the masks are tagged with logic before the comparison).

Owner
This module tries to match the different characteristics of the package creator for the local build package. Can only be used for output chains, and even if such packages (such as the ICMP ping answer) may not have owners, they will never match.

--uid-owner userid
If a valid user ID is given, the package that matches its process is generated.

--gid-owner GroupID
If a valid group ID is given, then the package that matches its process is generated.

--sid-owner Seessionid
Matches the package generated by the process based on the given session group.

State
This module, which allows access to the packet's connection tracking status when used in conjunction with connection tracking.

--state State
Here state is a comma-separated list of matching connection states. The possible states are: invalid indicates that the packet is an unknown connection, and that the established is a two-way-routed connection, and new means that the packet is a new connection, otherwise it is not bidirectional, and related means that the package starts with a new connection, but is connected with an existing connection, such as FTP data transfer, or an ICMP error.

Unclean
This module has no options, but it tries to match those strange, uncommon packages. In the experiment.

Tos
This module matches the 8-bit TOS (service type) field of the IP packet header (that is, it is included in the priority position).

--tos TOS
This parameter can be a standard name, (see the list with iptables-m tos-h), or a numeric value.

TARGET EXTENSIONS
Iptables can use the extended target module: The following are included in the Standard Edition.

LOG
Open kernel records for a matching package. When this option is set in the rule, the Linux kernel prints some information about all matching packages (such as IP header fields, etc.) through PRINTK ().
--log-level level
Record level (number or refer to syslog.conf (5)).
--log-prefix Prefix
Add a specific prefix before recording information: up to 14 letters long to distinguish it from other information in the record.

--log-tcp-sequence
Record the TCP serial number. If the record can be read by the user then there is a security risk.

--log-tcp-options
Record the options from the TCP packet header.
--log-ip-options
Record the options from the IP packet header.

MARK
Used to set the NetFilter tag value of the package. Applies only to mangle tables.

--set-mark mark.

REJECT
Returns an incorrect package as a response to a matching package: Other cases are the same as drop.

This goal applies only to input, forward, and output chains, and to the user-defined chains that call those chains. These options control the attributes of the returned error pack:

--reject-with type
Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, Icmp-proto-unreachable, Icmp-net-prohibited or icmp-host-prohibited, the type returns the appropriate ICMP error message (default is port-unreachable). Option echo-reply is also allowed, and it can be used only in the rules that specify the ICMP ping package to generate a ping response. Finally, the option Tcp-reset can be used in the input chain, or the rules invoked from the input chain, matching only the TCP protocol: will respond to a TCP RST packet.
TOS
The first eight-bit TOS used to set IP packets. Can only be used for mangle tables.

--set-tos TOS
You can use a numeric TOS value, or use Iptables-j tos-h to view a list of valid TOS names.
MIRROR
This is a pilot demonstration goal that can be used to convert the source and destination addresses in the IP header field, and then transfer the packet to only the input, forward, and output chains, and only the user-defined chains that call them.

SNAT
This goal applies only to the Postrouting chain of NAT tables. It provides for modifying the source address of the package (all packets will be affected after this connection), stopping the check of the rule, which contains the options:

--to-source [-][:p Ort-port]
You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in rules that specify-p TCP or-p UDP). If a port range is not specified, the (port) under 512 in the source port will be placed in other ports below 512, the port between 512 and 1024 will be placed below 1024, and the other ports will be placed 1024 or more. If possible, the port will not be modified.

--to-destiontion [-][:p Ort-port]
You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in rules that specify-p TCP or-p UDP). If a port range is not specified, the destination port is not modified.

Masquerade
A postrouting chain used only for NAT tables. Can only be used for dynamic access to IP (dial-up) connections: If you have a static IP address, you need to use Snat. Camouflage is equivalent to setting an image of the IP address of the interface that is passed through the packet when the interface closes the connection. This is because the next time you dial is not necessarily the same interface address (all established connections will be closed later). It has an option:

--to-ports [-port>]
Specifies the source port range to use, overriding the default Snat source address selection (see above). This option applies only to rules that specify-p TCP or-P UDP.

REDIRECT
Applies only to the prerouting and output chains of NAT tables, and to the user-defined chains that call them only. It modifies the destination IP address of the package to send packets to the machine itself (locally generated packages are placed as address 127.0.0.1). It contains an option:

--to-ports []
Specifies the destination port or range of ports used: The destination port will not be modified if unspecified. Can only be used to specify a rule for-p TCP or-P UDP.

Diagnostics
Diagnosis
Different error messages are printed as standard errors: Exit code 0 means correct. Errors such as incorrect or abused command-line arguments return error code 2, and the other error return code is 1.

BUGS
Bug
Check is not implemented (yet).
The check has not been completed yet.

Compatibility with IPChains
Compatibility with the IPChains
The ipchains of Iptables and Rusty Russell are very similar. The main difference is that the input chain is used only for packets entering the local host, and output is only for packages generated from the local host. So each package passes through only one of three chains, and the previously forwarded package passes through all three chains. The other major difference is that the-I reference enters the interface, the-o reference output interface, both of which apply to packets entering the forward chain. When using the default filter table with an optional extension module, iptables is a pure packet filter. This greatly reduces the previously confusing use of IP camouflage and packet filtering, so the following options are handled differently:
-j MASQ
-m-s
-m-l
There are several different chains in the iptables.